Push Help Center
Ready to help
Help for administrators
Help for admins
Help for employees
Help for employees
Help for administrators
/
Privacy and security

How does Push enrich detections with domain analysis data?

In this section:

You can configure Push to integrate with two third-party sources: urlscan.io and Neutrino domain lookup. These tools provide domain analysis to scan for potential security threats, in order to enrich the information about a domain or an IP address associated with a Push detection.

By pulling in enrichment from urlscan, you can quickly see:

  • The number of times a domain was scanned (up to 10,000).

  • The first time a domain was scanned.

  • The last time a domain or IP was scanned.

  • A urlscan.io verdict based on the first 500 scans. If 1 or more scans was marked malicious by urlscan, the verdict will show in the Push platform as “potentially malicious.”

Push also supplies the timestamp for domain registration via the whois service Neutrino. This enrichment helps you understand useful context about a detection so you can triage it effectively.

Common signals to look for when reviewing this data:

  • Was a domain recently registered? If so, this is often a signal of suspicious activity.

  • Was a domain or IP recently scanned for the first time? This can sometimes indicate a new phishing campaign targeting multiple organizations.

  • Has a domain or IP never been scanned? This can sometimes be a signal of a new phishing campaign targeting your organization.

Information from these enrichments appears on the details slideout for an individual detection on the Detections page of the Push admin console.

Detection details slideout w/ timeline etc. - KB 10136

To enable enrichment, go to Settings > Advanced > Detection enrichment > Domain enrichment.

Enable urlscan enrichment - Settings - KB 10136

When is a detection enriched?

Once enrichment is enabled, Push will attempt to retrieve data as soon as a detection occurs. Opening a Detections slideout will trigger a fresh query to update the third-party enrichment data. You can also force an update by using the refresh icon.

Note that the urlscan enrichment process does not trigger a new scan of a domain (or IP address); it just runs a search of existing scans.

How do I see enrichment for all domains associated with a detection?

If there are multiple domains involved in a detection, you can click on each domain from the Detections details slideout to see urlscan and domain registration enrichment for that domain.

Domains involved in detection - detection details slideout - KB 10136

Need more help?
Questions, feedback, tech support, sales support - anything you need.
We’ll get back to you within a day.